From 3061da07f83744bc7ebbeb84ea31f74c0272d44a Mon Sep 17 00:00:00 2001
From: Ryan Canty <jrcanty@gmail.com>
Date: Sat, 11 Apr 2020 14:32:00 -0700
Subject: [PATCH] Added docs for PR in Vault GCP Secrets repo

---
 website/pages/api-docs/secret/gcp/index.mdx |  6 ++++++
 website/pages/docs/secrets/gcp/index.mdx    | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/website/pages/api-docs/secret/gcp/index.mdx b/website/pages/api-docs/secret/gcp/index.mdx
index 8d22f624d9e3..04d084207844 100644
--- a/website/pages/api-docs/secret/gcp/index.mdx
+++ b/website/pages/api-docs/secret/gcp/index.mdx
@@ -155,6 +155,12 @@ resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
   ],
 }
 
+resource "//bigquery.googleapis.com/projects/my-project/datasets/mydataset" {
+  roles = [
+    "roles/bigquery.dataViewer"
+  ],
+}
+
 resource "https://selflink/to/my/resource" {
   roles = [
     "project/mygcpproject/roles/projcustomrole",
diff --git a/website/pages/docs/secrets/gcp/index.mdx b/website/pages/docs/secrets/gcp/index.mdx
index eb3cb5d1f762..591c7bbf437d 100644
--- a/website/pages/docs/secrets/gcp/index.mdx
+++ b/website/pages/docs/secrets/gcp/index.mdx
@@ -236,6 +236,9 @@ few different formats:
   # Pubsub snapshot
   //pubsub.googleapis.com/project/my-project/snapshots/my-pubsub-snapshot
 
+  # BigQuery dataset
+  //bigquery.googleapis.com/projects/my-project/datasets/mydataset
+
   # Resource manager
   //cloudresourcemanager.googleapis.com/projects/my-project"
   ```
@@ -346,6 +349,10 @@ resourcemanager.projects.setIamPolicy
 # All compute
 compute.*.getIamPolicy
 compute.*.setIamPolicy
+
+# BigQuery Datasets
+bigquery.datasets.get
+bigquery.datasets.update
 ```
 
 You can either:
@@ -358,6 +365,11 @@ You can either:
   `roles/iam.serviceAccountAdmin` and `roles/iam.serviceAccountKeyAdmin` so
   Vault can manage service accounts and keys.
 
+- Notice that BigQuery requires different permissions than other resource. This is
+  because BigQuery currently uses legacy ACL instead of traditional IAM permissions.
+  This means to update access on the dataset, Vault must be able to update the dataset's
+  metadata.
+
 ### Root Credential Rotation
 
 If the mount is configured with credentials directly, the credential's key may be